7.3
CVE-2025-56132 -
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduβ¦
6.5
CVE-2025-52049 -
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.
7.5
CVE-2025-56572 -
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
6.5
CVE-2025-59956 - AgentAPI exposed user chat history via a DNS rebinding attack
AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the β¦
9.1
CVE-2024-58040 - Crypt::RandomEncryption for Perl uses insecure rand() function during encryption
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
9.3
CVE-2025-59954 - Knowage Contains a Remote Code Execution Vulnerability
Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service. This issue is fixed in version 8.1.27.
8.7
CVE-2025-59952 - minio-java Client XML Tag is Vulnerable to Value Substitution
MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substitβ¦
6.7
CVE-2025-59950 - FreshRSS: Double clickjacking can lead to privilege escalation
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button insβ¦
6.9
CVE-2025-61586 - FreshRSS is vulnerable to directory enumeration by setting path in its theme field
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.
6.7
CVE-2025-59948 - FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow API access authentication setting needs to beβ¦